search

infamousjoeg / pyaim

@CyberArk Application Access Manager Client Library for Python 3
https://pypi.org/project/pyaim/
MIT License
24 stars 4 forks source link

How to specify the username #11

Closed PeerBoerner1 closed 4 years ago

PeerBoerner1 commented 5 years ago

Firstly, many thanks for creating this module. It's very helpful indeed.

I'm almost afraid to ask, but how do you specify the username for the account you wish to retrieve the password for? Under windows, when I run the command line tool, I issue a command similar to this one: CLIPasswordSDK64.exe GetPassword /p AppDescs.AppID=MyAppID /p Query=Safe=TheSafeINeed;Folder=Root;UserName=TheUserName /o Password

Here's how I call your routine:

cli=CLIPasswordSDK(f"{sdk_path}\CLIPasswordSDK64.exe") password = cli.GetPassword('MyAppID', 'TheSafeINeed', 'Username=SVC_MLAI_D')

I recognize that the third argument should be the objectName but I'm not sure how to provide that. I've tried many combinations with no luck.

Any advice would be very much appreciated.

Many thanks again for this module.

infamousjoeg commented 5 years ago

Is it a question of how to provide it or not knowing what value to provide? The Object Name is the same as the "Name" you can obtain within CyberArk's Password Vault Web Access (PVWA).

The reason I chose to exclude Username and opted to only require Object Name is because the Object Name within CyberArk is a unique value. Using Username could run into potential issues where you have, for example, 50 Windows local administrator accounts all with the Username Administrator in the same safe. It would fail to return a relevant password value.

PeerBoerner1 commented 5 years ago

This is a question of what to provide as the object type. I need to retrieve the password for a specific user account. In our case, all user accounts will have unique names. SO, how should I go about finding what a given object's name is? (As you can probably tell, I'm not a cyberark expert). Do I look up the object name in cyber ark directly for the username in question?

Many thanks for your quick response.

Peer

PeerBoerner1 commented 5 years ago

I’m not a cyber ark expert so pls forgive the question. When I log into cyber ark where can I find the object name for the user account I’m interested in? Is it the “Name” that is see? Looks like a long string but certainly seems unique? Or is there an attribute called objectName that I can use?

Really appreciate your help

Peer

Sent from my iPhone

On May 21, 2019, at 4:36 PM, Joe Garcia, CISSP notifications@github.com wrote:

Is it a question of how to provide it or not knowing what value to provide? The Object Name is the same as the "Name" you can obtain within CyberArk's Password Vault Web Access (PVWA).

The reason I chose to exclude Username and opted to only require Object Name is because the Object Name within CyberArk is a unique value. Using Username could run into potential issues where you have, for example, 50 Windows local administrator accounts all with the Username Administrator in the same safe. It would fail to return a relevant password value.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

PeerBoerner1 commented 5 years ago

A little more information. I've modified the url to "someplace" so that I can share publically.

Here is the GetPassword API call. sdk_path = os.path.normpath('C:\Program Files (x86)\CyberArk\ApplicationPasswordSdk\CLIPasswordSDK64.exe')

cli = CLIPasswordSDK(sdk_path) passwd = cli.GetPassword('MLAI_NP', 'MLAI_NP', 'Operating System-WinSVC_NonInteractive-ad.someplace.com-SVC_MLAI_U')

Here's the error I get: Exception: APPAP007E Connection to the Vault has failed (Error: ITACM037S The server could not complete the operation because the vault was temporarily unavailable. If this error recurs, please logoff from the vault, logon again and retry the operation. (Diagnostic information: 537,10049) , Diagnostic Info: 11)

BUT, if I modify your API and use "Username" instead with the Username of the account, everything works fine.

Any help would be appreciated!!

Thanks in advance.

peer

JimmyJamTQBD commented 5 years ago

Hello @PeerBoerner1 , From the error it looks like the call that was made errored due to the Credential Provider not communicating to the Vault correctly. If you restart the Credential Provider service, this should get you the results by using the objectName.

Now onto why it worked with userName: This could be due to you putting the parameters in a way that is making a REST call to the PVWA WebServices and not through AIM. When you changed the call to userName did you get the password value back as a response or did you get Account information back?

With this module, it is using the AIM (now AAM) as a vehicle for pulling the password content. -James

infamousjoeg commented 5 years ago

@PeerBoerner1 was what @JimmyJamCABD suggested successful?

The other reason why it'd work with userName is because it's pulling from the Credential Provider cache and not requiring any communication to the Vault despite the Credential Provider communication to the Vault being borked. This is part of the HA provided by a local Credential Provider.

Let me know if restarting the Credential Provider helped in resolving your connection issues.